How to disable direct root login
Direct login for the root user is a major security issue. We can disable direct login access to reduce the security risk. This way we can have two separate passwords for root access which makes the box more secure. Also we are using the protocol 2 which is newer and more secure.
1. SSH into your server as ‘admin’ and gain root access by su
2. Copy and paste this line to edit the file for SSH logins
3. Find the line
4. Uncomment it and change it to look like
5. Next, find the line
6. Uncomment it and make it look like PermitRootLogin no
7. Save the file Ctrl+X then Y then enter
8. Now you can restart SSH
/etc/rc.d/init.d/sshd restart
Now, no one will be able to login to root with out first loggin in as admin and ’su -’ to root.
Be sure that you remember both the passwords!
Tags: direct, Disable, login, Root
Creating a super user with root rights.
Sudo is a program which can be used by normal users to execute programs as super user or any other user. Sudo access is controlled by /etc/sudoers. The users listed in /etc/sudoers file can execute commands with an effective user id of 0 and a group id of root’s group.
The file ‘/etc/sudoers’ should be edited with the editor “visudo”.
1. First, create a user called “admin1″
useradd admin1
passwd admin1
2. To give a specific group of users limited root privileges, edit the file with visudo as follows:
3. Go down to the line ‘# User privilege specification‘ and add the following line.
Tags: Creating, root rights, super user
Hide apache web server version
It is possible to hide apache web server version and other information. This is done for security reasons. It is not a good idea to broadcast the version of the software that you are running on the server. You should have noticed the following details(or something similar) when an error page is displayed.
Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 Server at XXX.com Port 80
Add/Edit the two entries in the apache configuration file(httpd.conf)
ServerSignature Off
ServerTokens Prod
ServerSignature Off : tells apache not to display the server version on error pages, or other pages it generates.
ServerTokens Prod : tells apache to only return Apache in the Server header, returned on every page request.
Restart the webserver.
Tags: Apache, Hide, server, Version, web
RSA key pair generation
RSA keys are used to avoid the login prompt when you try to SSH to the server. Generating RSA keys is very simple.
Please follow the steps given below.
From the server1,
Press key to accept the default file location of /root/.ssh/id_rsa
Change the permission to 755 to the directory “/root/.ssh/id_rsa”
$ chmod 755 /root/.ssh/id_rsa
Now create a file “/root/.ssh/authorized_keys” on the target system.
$ touch /root/.ssh/authorized_keys
From server1, copy the contents of the file “/root/.ssh/id_rsa.pub” to the file “/root/.ssh/authorized_keys2″ on server2. You can do it using the command “scp” as follows.
That’s all
Now you can connect the server2 from server1 through SSH without typing the password.
Tags: generation, key, pair, RSA
Using iptables to rate limit incoming connections
We all know various ways of blocking dictionary attack that happened through ssh such as disabling direct root login, blocking default 22 port etc. Besides this we can also make use of iptables in a smarter way to achieve the result. Lets see how to accomplish this.
We make use of a recent module that add IP addresses to a list, which can then be used in the future to test connection attempts against. Let’s make things clear using an example. Consider the following two iptables command.
# iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –set
# iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent
–update –seconds 60 –hitcount 4 -j DROP
Here the –set parameter in the first line will make sure that the IP address of the host which initiated the connection will be added to the “recent list”, where it will be tested again in the second rule.
Its in the second rule that actual magic happens
–update flag tests whether the IP address is in the list of recent connections, in our case each new connection on port 22 will be in the list because we used the –set flag to add it in the preceding rule.
–seconds flag is used to make sure that the IP address is only going to match if the last connection was within the time frame given.
–hitcount flag works in a similar way - matching only if the given count of connection attempts is greater than or equal to the number given.
So in total the result of above command is to DROP a connection from an IP address which initiated the connection that has previously been added to the list that sent a packet in the past 60 seconds and sent more than 4 packets in total.
We can change the connection limit by modifying the hit count.
Tags: connections, incoming, iptables, rate limit
